U.S. Markets close in 4 hrs 24 mins

How Europe's 'breakthrough' privacy law takes on Facebook and Google

Olivia Solon

Europe’s General Data Protection Regulation is forcing big changes at tech’s biggest firms – even if the US isn’t likely to follow suit

Mark Zuckerberg, the Facebook CEO, testifies before Congress. Photograph: Zach Gibson/Getty Images

Despite the political theatre of Mark Zuckerberg’s congressional interrogations last week, Facebook’s business model isn’t at any real risk from regulators in the US. In Europe, however, the looming General Data Protection Regulation will give people better privacy protections and force companies including Facebook to make sweeping changes to the way they collect data and consent from users – with huge fines for those who don’t comply.

“It’s changing the balance of power from the giant digital marketing companies to focus on the needs of individuals and democratic society,” said Jeffrey Chester, founder of the Center for Digital Democracy. “That’s an incredible breakthrough.”

Here’s a simple guide to the new rules.

What is GDPR?

It is a regulation that requires companies to protect the personal data and privacy of residents of EU countries. It replaces an outdated data protection directive from 1995 and restricts the way businesses collect, store and export people’s personal data.

“Consumers have been abused,” said David Carroll, an associate professor at Parsons School of Design in New York. “Marketers have succeeded in making people feel powerless and resigned to getting the short end of the bargain. GDPR gives consumers the chance to renegotiate that very unfair deal.”

Does it only affect European companies?

No. It applies to all companies that process the personal data of people residing in the European Union.

What counts as personal data?

Any information related to a person that can be used to identify them, including their name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation.

What new rights do people get?

Under GDPR, people get expanded rights to obtain the data that a company has collected about them for free through a “data subject request”. People will also have the “right to be forgotten”, which means companies must delete someone’s data if they withdraw their consent for it to be held. Companies will only be able to collect data if there’s a specific business purpose for it, rather than collecting extra information at the point of sign-up just in case.

“It makes companies become much more thoughtful and rigorous about the data they collect and what they use it for,” Carroll said.

What makes this a potential game changer is the amount of power it places into the hands of the public

Attorney Jason Straight

Companies will have to replace long terms and conditions filled with legalese with simple-to-digest consent requests. It must be as easy to withdraw consent as to give it. Finally, if a company has a data breach, it must inform users within 72 hours.

“What makes this a potential game changer is the amount of power it places into the hands of the public,” said attorney Jason Straight, who is chief privacy officer at legal services company UnitedLex.

What about people outside of Europe?

Although it only applies to people located in the EU, the new rules will probably put pressure on companies to offer further protections for the rest of their users. Facebook, for example, has pledged to offer GDPR privacy controls globally.

“This will be good for everyone,” said Kris Lahiri, co-founder at the cloud-sharing company Egnyte, pointing out that global customers will demand the same rights as their European counterparts.

Which companies have the most work to do?

The big data-hungry technology platforms like Amazon, Google and Facebook and advertising technology companies such as Criteo, whose technology powers those ads featuring products you’ve browsed online that follow you around the internet.

What is Facebook doing to comply?

Having said it would follow GDPR “in spirit”, Facebook’s actions tell a different story. On Wednesday Reuters reported that the company would change its terms of service so that its 1.5 billion non-European users would no longer be covered by the privacy law. Until now, all users outside of the US and Canada have been governed by terms of service agreed with the company’s international headquarters in Ireland. Since any user data processed in Ireland will soon fall under GDPR, Facebook is changing the agreement so users in Africa, Asia, Australia and Latin America are governed by more lenient US privacy laws.

Where it needs to comply with GDPR, Facebook seems to have focused its efforts on getting user consent for its data collection practices (including facial biometric data) rather than reducing the data it collects. It has developed a sequence of consent requests that explicitly outline how each type of data will be used. However, as TechCrunch highlighted, the company has designed these requests in a way that makes it harder to opt out than opt in.

What about startups who don’t have the same resources?

Complying with GDPR may be a little onerous for companies that don’t have the engineering resources of Facebook or Google. According to a PwC survey, 68% of US companies expect to spend between $1m and $10m to comply with GDPR.

And there’s another way they’ll get stung: GDPR consultants charging enormous fees for patchy advice.

What are the penalties for companies that don’t comply?

Companies can be fined up to 4% of annual global revenue, but it will come down to how regulators in individual countries choose to enforce the law.

When does it come into effect?

The twenty-fifth of May 2018. That’s too early for some: “There’s a panic mode setting in as everyone is getting closer to this deadline,” said Lahiri.

  • This article was amended on 19 April 2018 to clarify that GDPR protections apply to anyone located within the EU, not just residents.